Difference between revisions of "Eduroam Configuration"
From NREN
| Line 30: | Line 30: | ||
# radtest bob@uni0.edu.np hello localhost 20 testing123 | # radtest bob@uni0.edu.np hello localhost 20 testing123 | ||
| + | |||
| + | |||
| + | File: clients.conf | ||
| + | ## clients.conf -- client configuration directives | ||
| + | ####################################################################### | ||
| + | client localhost { | ||
| + | ipaddr = 127.0.0.1 | ||
| + | secret = testing123 | ||
| + | nas_type = other # localhost isn't usually a NAS... | ||
| + | } | ||
| + | |||
| + | client testing { | ||
| + | ipaddr = 45.64.162.158 | ||
| + | secret = testing123 | ||
| + | nas_type = other | ||
| + | } | ||
| + | |||
| + | client nepal-flr-1 { | ||
| + | ipaddr = 202.52.0.18 | ||
| + | netmask = 32 | ||
| + | secret = longSecretPasswordHere | ||
| + | require_message_authenticator = no | ||
| + | shortname = nepal-flr-1 | ||
| + | nastype = other | ||
| + | virtual_server = eduroam | ||
| + | } | ||
| + | |||
| + | File: sites-available/eduroam -- radius configuration | ||
| + | ## sites-available/eduroam -- radius configuration | ||
| + | ####################################################################### | ||
| + | server eduroam { | ||
| + | listen { | ||
| + | type = "auth" | ||
| + | ipaddr = * | ||
| + | port = 0 | ||
| + | } | ||
| + | listen { | ||
| + | type = "acct" | ||
| + | ipaddr = * | ||
| + | port = 0 | ||
| + | } | ||
| + | authorize { | ||
| + | # only use filter_username from version > 3.0.7 on | ||
| + | filter_username | ||
| + | if ("%{client:shortname}" != "nepal-flr-1") { | ||
| + | update request { | ||
| + | Operator-Name := "1nren.net.np" | ||
| + | # the literal number "1" above is an important prefix! Do not change it! | ||
| + | } | ||
| + | } | ||
| + | # if you want detailed logging | ||
| + | auth_log | ||
| + | suffix | ||
| + | mschap | ||
| + | eap | ||
| + | files | ||
| + | #sql | ||
| + | pap | ||
| + | } | ||
| + | authenticate { | ||
| + | Auth-Type PAP { | ||
| + | pap | ||
| + | } | ||
| + | Auth-Type CHAP { | ||
| + | chap | ||
| + | } | ||
| + | Auth-Type MS-CHAP { | ||
| + | mschap | ||
| + | } | ||
| + | digest | ||
| + | eap | ||
| + | } | ||
| + | preacct { | ||
| + | suffix | ||
| + | } | ||
| + | accounting { | ||
| + | detail | ||
| + | #sql | ||
| + | } | ||
| + | post-auth { | ||
| + | reply_log | ||
| + | Post-Auth-Type REJECT { | ||
| + | reply_log | ||
| + | } | ||
| + | } | ||
| + | pre-proxy { | ||
| + | pre_proxy_log | ||
| + | if("%{Packet-Type}" != "Accounting-Request") { | ||
| + | attr_filter.pre-proxy | ||
| + | } | ||
| + | } | ||
| + | post-proxy { | ||
| + | post_proxy_log | ||
| + | attr_filter.post-proxy | ||
| + | } | ||
| + | } | ||
| + | |||
| + | File: sites-available/eduroam-inner-tunnel | ||
| + | ## sites-available/eduroam-inner-tunnel -- radius configuration | ||
| + | ####################################################################### | ||
| + | server eduroam-inner-tunnel { | ||
| + | authorize { | ||
| + | auth_log | ||
| + | eap | ||
| + | mschap | ||
| + | #sql | ||
| + | files | ||
| + | } | ||
| + | authenticate { | ||
| + | eap | ||
| + | mschap | ||
| + | Auth-Type MS-CHAP { | ||
| + | mschap | ||
| + | } | ||
| + | } | ||
| + | post-auth { | ||
| + | reply_log | ||
| + | } | ||
| + | } | ||
| + | |||
| + | File: proxy.conf | ||
| + | ## proxy.conf | ||
| + | ####################################################################### | ||
| + | proxy server { | ||
| + | default_fallback = no | ||
| + | } | ||
| + | |||
| + | home_server npflr1 { | ||
| + | type = auth+acct | ||
| + | ipaddr = 202.52.0.18 | ||
| + | port = 1812 | ||
| + | secret = longSecretPasswordHere | ||
| + | status_check = status-server | ||
| + | } | ||
| + | |||
| + | home_server npflr2 { | ||
| + | type = auth+acct | ||
| + | ipaddr = 202.52.0.4 | ||
| + | port = 1812 | ||
| + | secret = longSecretPasswordHere | ||
| + | status_check = status-server | ||
| + | } | ||
| + | |||
| + | home_server_pool EDUROAM { | ||
| + | type = fail-over | ||
| + | home_server = npflr1 | ||
| + | home_server = npflr2 | ||
| + | } | ||
| + | |||
| + | realm NULL { | ||
| + | nostrip | ||
| + | } | ||
| + | |||
| + | realm "^uni0\.edu\.np" { | ||
| + | nostrip | ||
| + | } | ||
| + | |||
| + | realm "~.+$" { | ||
| + | pool = EDUROAM | ||
| + | nostrip | ||
| + | } | ||
| + | |||
| + | |||
| + | File: mods-available/eap.conf | ||
| + | ## mods-available/eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.) | ||
| + | ####################################################################### | ||
| + | |||
| + | eap { | ||
| + | default_eap_type = peap | ||
| + | timer_expire = 60 | ||
| + | ignore_unknown_eap_types = no | ||
| + | cisco_accounting_username_bug = no | ||
| + | max_sessions = ${max_requests} | ||
| + | |||
| + | tls { | ||
| + | certdir = ${confdir}/certs | ||
| + | cadir = ${confdir}/certs | ||
| + | private_key_password = whatever | ||
| + | private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key | ||
| + | certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem | ||
| + | ca_file = /etc/ssl/certs/ca-certificates.crt | ||
| + | dh_file = ${certdir}/dh | ||
| + | random_file = /dev/urandom | ||
| + | fragment_size = 1024 | ||
| + | include_length = yes | ||
| + | check_crl = no | ||
| + | cipher_list = "DEFAULT" | ||
| + | } | ||
| + | |||
| + | ttls { | ||
| + | default_eap_type = mschapv2 | ||
| + | copy_request_to_tunnel = yes | ||
| + | use_tunneled_reply = yes | ||
| + | virtual_server = "eduroam-inner-tunnel" | ||
| + | } | ||
| + | |||
| + | peap { | ||
| + | default_eap_type = mschapv2 | ||
| + | copy_request_to_tunnel = yes | ||
| + | use_tunneled_reply = yes | ||
| + | virtual_server = "eduroam-inner-tunnel" | ||
| + | } | ||
| + | |||
| + | mschapv2 { | ||
| + | } | ||
| + | } | ||
Revision as of 11:59, 31 December 2018
Basic Setup for eduroam
Lab Plan
- Basic Ubuntu 18.04 is installed
- Install FreeRADIUS
- Basic Configuration
- Testing
- Configure Wifi
- Configure Certificates for WPA2 Enterprise
- Configure WiFi - uni1, uni2, uni3, uni4 (For lab use only) SSIDs should be lowercase "eduroam" for the production deployment
- Check IDP (Local university login)
- Configure Peering
- Check peering
freeRadius 3.0
Add a user to the freeradius authorize File: /etc/freeradius/3.0/users (/etc/freeradius/3.0/mods-config/files/authorize)
## Users - user logins
#######################################################################
"bob@uni0.edu.np" Cleartext-Password := "hello"
Reply-Message := "Hello, %{User-Name}"
Reload freeradius
# systemctl restart freeradius
Testing
# radtest bob@uni0.edu.np hello localhost 20 testing123
File: clients.conf
## clients.conf -- client configuration directives
#######################################################################
client localhost {
ipaddr = 127.0.0.1
secret = testing123
nas_type = other # localhost isn't usually a NAS...
}
client testing {
ipaddr = 45.64.162.158
secret = testing123
nas_type = other
}
client nepal-flr-1 {
ipaddr = 202.52.0.18
netmask = 32
secret = longSecretPasswordHere
require_message_authenticator = no
shortname = nepal-flr-1
nastype = other
virtual_server = eduroam
}
File: sites-available/eduroam -- radius configuration
## sites-available/eduroam -- radius configuration
#######################################################################
server eduroam {
listen {
type = "auth"
ipaddr = *
port = 0
}
listen {
type = "acct"
ipaddr = *
port = 0
}
authorize {
# only use filter_username from version > 3.0.7 on
filter_username
if ("%{client:shortname}" != "nepal-flr-1") {
update request {
Operator-Name := "1nren.net.np"
# the literal number "1" above is an important prefix! Do not change it!
}
}
# if you want detailed logging
auth_log
suffix
mschap
eap
files
#sql
pap
}
authenticate {
Auth-Type PAP {
pap
}
Auth-Type CHAP {
chap
}
Auth-Type MS-CHAP {
mschap
}
digest
eap
}
preacct {
suffix
}
accounting {
detail
#sql
}
post-auth {
reply_log
Post-Auth-Type REJECT {
reply_log
}
}
pre-proxy {
pre_proxy_log
if("%{Packet-Type}" != "Accounting-Request") {
attr_filter.pre-proxy
}
}
post-proxy {
post_proxy_log
attr_filter.post-proxy
}
}
File: sites-available/eduroam-inner-tunnel
## sites-available/eduroam-inner-tunnel -- radius configuration
#######################################################################
server eduroam-inner-tunnel {
authorize {
auth_log
eap
mschap
#sql
files
}
authenticate {
eap
mschap
Auth-Type MS-CHAP {
mschap
}
}
post-auth {
reply_log
}
}
File: proxy.conf
## proxy.conf
#######################################################################
proxy server {
default_fallback = no
}
home_server npflr1 {
type = auth+acct
ipaddr = 202.52.0.18
port = 1812
secret = longSecretPasswordHere
status_check = status-server
}
home_server npflr2 {
type = auth+acct
ipaddr = 202.52.0.4
port = 1812
secret = longSecretPasswordHere
status_check = status-server
}
home_server_pool EDUROAM {
type = fail-over
home_server = npflr1
home_server = npflr2
}
realm NULL {
nostrip
}
realm "^uni0\.edu\.np" {
nostrip
}
realm "~.+$" {
pool = EDUROAM
nostrip
}
File: mods-available/eap.conf
## mods-available/eap.conf -- Configuration for EAP types (PEAP, TTLS, etc.)
#######################################################################
eap {
default_eap_type = peap
timer_expire = 60
ignore_unknown_eap_types = no
cisco_accounting_username_bug = no
max_sessions = ${max_requests}
tls {
certdir = ${confdir}/certs
cadir = ${confdir}/certs
private_key_password = whatever
private_key_file = /etc/ssl/private/ssl-cert-snakeoil.key
certificate_file = /etc/ssl/certs/ssl-cert-snakeoil.pem
ca_file = /etc/ssl/certs/ca-certificates.crt
dh_file = ${certdir}/dh
random_file = /dev/urandom
fragment_size = 1024
include_length = yes
check_crl = no
cipher_list = "DEFAULT"
}
ttls {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
peap {
default_eap_type = mschapv2
copy_request_to_tunnel = yes
use_tunneled_reply = yes
virtual_server = "eduroam-inner-tunnel"
}
mschapv2 {
}
}
